Honestly? You don't.

You back everything up on to an external drive, back up your drivers (use double driver), backup your licence keys (use key finder) and back up your windows tokens (use advanced tokens manager).

And then you do a full format and reinstall. If you're on windows 8 there is an option in windows to do this (someone else with windows 8 will be able to tell you) so you can skip backing up your tokens.

You could follow one of the numerous guides on the web (including one here on MF by Deezer) but there is absolutely no guarantee that you'll have nuked the virus. If you haven't, well, all that work you did has gone to waste.

Backup, format, reinstall. It sucks, it'll take half a day but at least you'll be certain that you're got rid of whatever you had.
posted by mr_silver at 12:51 AM on May 14, 2015 [4 favorites]

The "deezer" mr. Silver is referring to above is actually named Deezil - he is a mefi member who has a comprehensive guide to malware removal posted right in his profile and I can speak to both his computer knowledge and his willingness to help.
posted by EmpressCallipygos at 3:17 AM on May 14, 2015 [2 favorites]

Seconding wiping and reinstalling (and changing all of your important passwords) if you have malware.

To use a movie analogy, your computer is now in the Matrix. Your antivirus tools can ask the operating system if bad things exist, but because the operating system is subverted by the malware, it will reply back that nothing bad is there. The way to break free of the Matrix is to boot into a clean operating system, such as a Linux on CD/USB distribution, which is not controlled by the malware, and then clean up every booby trap left behind. If you miss one, you're back to square one again. I have cleaned up deep seated malware before and frankly I'd charge more than the cost of a new computer to do it again because it's tedious and annoying. It's faster and easier to just start from scratch in most cases.

What is generating that list of domains?

P.S. Buy the kid(s) a Chromebook. If you're convinced that your son caused the malware infections, you can greatly reduce the chances of your important accounts getting compromised if you isolate his browsing to a hardened and easy to blow away operating system.
posted by Candleman at 3:39 AM on May 14, 2015

deezil's profile, as mentioned by EmpressCallipygos above.
posted by hangashore at 5:02 AM on May 14, 2015 [2 favorites]

Create another local user, log in as that user and see if these pings persist. If not, then blow away the profiles.

Another option would be to see if you have any system snapshots and revert to one of those.
posted by cjorgensen at 8:44 AM on May 14, 2015

The DNS queries certainly look suspicious, like an ad click fraud scheme, but some innocent stuff can cause some really weird looking DNS requests too. If they happen at a predictable time, you might be able to identify what's going on by using something like Sysmon. If it's poorly written malware, you also might be able to use something like Autoruns to track it down.

If you want to try to get rid of it, you can load a Linux Live CD/USB distribution that has Clam A/V, update its malware signatures, and see if it finds it.

The other main thing to do to try to narrow down what's causing the problem, you can generate a list of all of the files in the Windows directory (including subdirectories) while in Windows then boot into Linux and do the same thing. If there's files that Windows doesn't see but Linux does, those are ones to start examining to look for malware signatures.
posted by Candleman at 11:11 AM on May 14, 2015 [1 favorite]

This thread is closed to new comments.